rvlsoft - Fotolia
MSP cybersecurity and compliance challenges loom in 2021
With the rocky 2020 nearing its close, MSPs should expect significant shifts in the cybersecurity and compliance landscape ahead, according to NinjaRMM's CISO.
2020 has been a very memorable year, to say the least. However, amidst the challenges, MSPs can find a few silver linings. For one, many businesses have learned to rapidly adapt to uncertainty in the new economic climate.
The learning curve, although steep, has provided the opportunity to develop invaluable skills for 2021, including the ability to stay on your toes and continually think ahead. According to Lewis Huynh, CSO of NinjaRMM, an MSP software provider based in San Francisco, foresight and planning will prove to be businesses' greatest tools in the coming months.
Wanting to make use of these tools himself, Huynh aimed to move NinjaRMM a few steps forward in regards to cybersecurity and compliance this year. He said the company's strong infrastructure and security culture aided in his quest, but the upgrades were far from simple. "When someone … tries to bring so many parts of an organization under one umbrella, it can be quite a learning process," he said. "It's a bit like drinking from a fire hose."
The changes he made at NinjaRMM this year helped advance the company's agenda in the MSP software market, he said. They also provided him with greater insight into what the future demands of cybersecurity and regulatory compliance could look like for MSPs, he said.
Prepare to focus on security and compliance issues
Huynh said security and compliance will open more opportunities for MSPs to help their customers in 2021.
In the current pandemic, sharp business leaders can find ways for their companies to evolve -- particularly when it comes to cybersecurity and regulatory compliance. "There's a really good opportunity for all types of leadership to take a look at security and compliance," Huynh said.
For example, while companies put much thought and effort into enabling employees to work, they don't put nearly enough thought into how to secure them. "There should be a trend … that leadership needs to redefine how they think about IT, security and compliance," he noted.
Huynh suggests businesses should try to think outside of a normal workday to better appreciate the threat of ransomware, potential seven-digit fines for failing to meet regulatory compliance requirements and other data security issues.
One simple measure businesses can take to protect themselves and their employees is to provide a dedicated work laptop, Huynh said. This greatly increases the level of protection and helps secure all end users, regardless of how security savvy they are. "If you spent all this money on a corporate IT team, spending this extra amount [on dedicated work laptops] might hurt in the beginning, but the payoff is huge," he said. "Don't underestimate the ability to control and protect. It's just not something you can account for in dollars upfront or in monthly revenue."
Huynh thinks 2021 will also be a great time for MSPs to evaluate internal teams. He notes that most MSPs lack a formalized internal governance team or dedicated security staff. "It's a good time to see if someone on your team could flip their role, maybe a system admin who has a lot of security knowledge. But regardless of who fills the role, it certainly needs to become a priority to MSPs," he said.
Cybersecurity risks continue to expand
Cyber attacks will continue to grow more widespread in 2021, and Huynh said he is surprised that there hasn't been an even larger spike in attacks. "What's really curious is that more hacking hasn't been occurring at a higher level," he said. "It's almost like the hackers haven't considered what they have in front of them."
When considering the available attack vectors due to the increase in remote workforces, Lewis predicts 2021 will see a lot of ransomware takeovers if companies don't step up their cybersecurity game. "You really have to be vigilant as a company. Security should be a part of your culture in daily life. This is going to be a huge snowball that eventually crashes at the bottom of the hill, and it'll be a wake-up call."
Additionally, MSPs should weigh the trend of countries and U.S. states changing or ramping up their privacy laws. NinjaRMM's MSP customers have increasingly asked the company about compliance and where there might be gaps in the technologies they use, Huynh said.
Similarly, vertical industries have to deal with various governing bodies issuing different regulatory frameworks. The commonality between most of the regulations is that they use the National Institute of Standards and Technology or International Organization for Standardization frameworks. "Depending on the regulations that apply to you, take a look at the prescription and look at the framework. Apply it towards your organization," Huynh said.
He noted that he followed his own advice and improved NinjaRMM's compliance posture. "We look for the most common denominator [in regulatory frameworks], as strict as possible, because if we can hit that metric, we can secure everything for everyone's clients, present and future."
How to stay ahead of the compliance curve
Today, there isn't a clear definition or application of privacy laws across the U.S. (or world, for that matter). Some geographies have taken a firmer stance on consumer protection than others, such as California, which passed the California Consumer Privacy Act in 2018, and the European Union, which approved the General Data Protection Regulation in 2016.
The varying levels of regulatory requirements have led to some major issues and questions about what set of rules a business should follow. That's the case particularly for companies that operate in many locations. For MSPs, Huynh said, "when working [with customers] that have a global presence in multiple countries, you [must] take the highest level of privacy awareness and concern that you might have or face and apply it across your framework."
He added that companies should examine regulatory guidelines whether they operate abroad or not. This way, a business will meet a minimum level of the requirements and can be assured that they will either meet or stay a little ahead of the compliance curve.
Huynh expects 2021 to introduce stricter compliance laws across the board. From a global perspective, many developed nations haven't yet taken a strong stand on security and compliance issues and will soon adopt a partnership type of approach. In the U.S., the approach toward compliance has differed state by state. "It's really hard for the U.S. to apply 'one size fits all.' That's why you'll see things like what's happening in California," he said.
